diff --git a/packages/auth-providers-api/src/dbAuth/DbAuthHandler.ts b/packages/auth-providers-api/src/dbAuth/DbAuthHandler.ts index 3543301ca8e6..b33d9df42360 100644 --- a/packages/auth-providers-api/src/dbAuth/DbAuthHandler.ts +++ b/packages/auth-providers-api/src/dbAuth/DbAuthHandler.ts @@ -501,8 +501,18 @@ export class DbAuthHandler< this.options.forgotPassword as ForgotPasswordFlowOptions ).handler(this._sanitizeUser(user)) + // remove resetToken and resetTokenExpiresAt if in the body of the + // forgotPassword handler response + let responseObj = response + if (typeof response === 'object') { + responseObj = Object.assign(response, { + [this.options.authFields.resetToken]: undefined, + [this.options.authFields.resetTokenExpiresAt]: undefined, + }) + } + return [ - response ? JSON.stringify(response) : '', + response ? JSON.stringify(responseObj) : '', { ...this._deleteSessionHeader, }, @@ -607,14 +617,14 @@ export class DbAuthHandler< }, data: { [this.options.authFields.hashedPassword]: hashedPassword, - [this.options.authFields.resetToken]: null, - [this.options.authFields.resetTokenExpiresAt]: null, }, }) } catch (e) { throw new DbAuthError.GenericError() } + await this._clearResetToken(user) + // call the user-defined handler so they can decide what to do with this user const response = await ( this.options.resetPassword as ResetPasswordFlowOptions diff --git a/packages/auth-providers-api/src/dbAuth/__tests__/DbAuthHandler.test.js b/packages/auth-providers-api/src/dbAuth/__tests__/DbAuthHandler.test.js index 2fbbcf8fb5e3..6e60fcfa0f5e 100644 --- a/packages/auth-providers-api/src/dbAuth/__tests__/DbAuthHandler.test.js +++ b/packages/auth-providers-api/src/dbAuth/__tests__/DbAuthHandler.test.js @@ -767,15 +767,16 @@ describe('dbAuth', () => { // base64 characters only, except = expect(resetUser.resetToken).toMatch(/^\w{16}$/) expect(resetUser.resetTokenExpiresAt instanceof Date).toEqual(true) - // response contains the user data, minus `hashedPassword` and `salt` + + // response contains data returned from the handler expect(responseBody.id).toEqual(resetUser.id) expect(responseBody.email).toEqual(resetUser.email) - expect(responseBody.resetToken).toEqual(resetUser.resetToken) - expect(responseBody.resetTokenExpiresAt).toEqual( - resetUser.resetTokenExpiresAt.toISOString() - ) - expect(responseBody.hashedPassword).toEqual(undefined) - expect(responseBody.salt).toEqual(undefined) + + // response data should not include sensitive info + expect(responseBody.resetToken).toBeUndefined() + expect(responseBody.resetTokenExpiresAt).toBeUndefined() + expect(responseBody.hashedPassword).toBeUndefined() + expect(responseBody.salt).toBeUndefined() }) it('returns a logout session cookie', async () => { @@ -802,6 +803,22 @@ describe('dbAuth', () => { expect.assertions(1) }) + it('removes the token from the forgotPassword response', async () => { + const user = await createDbUser() + event.body = JSON.stringify({ + username: user.email, + }) + options.forgotPassword.handler = (handlerUser) => { + return handlerUser + } + const dbAuth = new DbAuthHandler(event, context, options) + const response = await dbAuth.forgotPassword() + const jsonResponse = JSON.parse(response[0]) + + expect(jsonResponse.resetToken).toBeUndefined() + expect(jsonResponse.resetTokenExpiresAt).toBeUndefined() + }) + it('throws a generic error for an invalid client', async () => { const user = await createDbUser() event.body = JSON.stringify({